In access_allowed(), when called with null o_bd field, the first
database is selected, where the first real database is traditionally
intended. The current code has been modified to pick the first
database by calling

op->o_bd = LDAP_STAILQ_FIRST( &backendDB );

However, if back-config is enabled, it is forced to be the first
database in the list. I can't figure out, right now, how this can be
solved in a clean manner.

Hmmm... As per ITS#3100, the behavior to use the first backend has been
in place for a long time, but it doesn't make a lot of sense in itself,
it seems it was just a hack (acl.c rev 1.93) to allow ACL checks to be
performed on the rootDSE and other objects that live outside of a
regular backend. Since we now have a frontendDB where the global ACLs
live, I think we should just use the frontendDB here.